Researchers from Outflank introduced a new method known as Early Cascade Injection, aimed at bypassing modern threat detection systems, specifically EDR. This innovative technique leverages Windows application creation processes, reducing the risk of detection and providing stiff competition to established methods like Early Bird APC Injection.
Early Cascade Injection operates by intervening in process creation at the user regime level, combining the strengths of Early Bird APC Injection and the newer EDR-Preloading. Unlike earlier methods, this approach eliminates the need for inter-process asynchronous procedures (APC), thereby decreasing the chances of detection.
The code execution of Early Cascade Injection relies on undisclosed functions within the NTDLL.DLL library. One example is G_PFNSE_DLLLOLODED, engaged prior to the initialization of crucial libraries like Kernel32.dll and Kernelbase.dll, granting early process control.
Following the initial code fragment via “g_pfnse_dllloaded”, the system employs the NTQueueAPCHEAD call to insert the primary functional code into the APC queue. This code is activated during the final stage of process initialization, when the system purges the APC queue using the NTTESTALERT function.
Compared to the traditional Early Bird APC Injection, the new method eliminates suspicious inter-process interactions, making it less conspicuous to EDR systems. Furthermore, Early Cascade Injection does not necessitate system access modification for memory alteration, as key sections (“.Mrdata” and “.Data”) remain accessible for recording while the process is suspended.
The capability of Early Cascade Injection to elude detection systems stems from its ability to execute code before EDR triggers protective measures. For instance, during the loading of initial DLL modules, EDR commonly installs hooks to monitor activities. This method intervenes precisely at this stage, potentially disrupting the deployment of such protective modules.
The successful implementation of Early Cascade Injection underscores the ongoing quest for innovative hacking methodologies that exploit security vulnerabilities. The research demonstrates that even sophisticated EDR solutions can be circumvented, heightening the risk of going undetected. However, utilizing such techniques poses additional risks, as their effectiveness is contingent on the Windows version and possible updates.